WP 29 has published the following documents adopted on 29 November 2017:
- WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules; and
- WP 257 Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules
WP 29 sets out that taking into account that Article 47.2 GDPR sets forth a minimum set of elements to be inserted within Binding Corporate Rules, these amended tables are meant to:
- Adjust the wording of the previous referential so as to keep it in line with Article 47 GDPR;
- Clarify the necessary content of BCRs as stated in Article 47 (taking into account documents WP 742 and WP 1083, for controller BCR and in document WP 204 for processor BCRs, as adopted by the WP29 within the framework of the directive 95/46/EC and );
- Make the distinction between what must be included in BCRs and what must be presented to the competent Supervisory Authority (competent SA) in the BCRs application (document WP 1334 for Controller BCRs and document WP 195a for Processor BCRs );
- For Controller BCRs : give the principles the corresponding text references in Article 47 GDPR; and
- Provide explanations/comments on the principles one by one.
WP29 draws attention in particular to the following elements:
Common to both types of BCRs
- Right to lodge a complaint: Data subjects should be given the choice to bring their claim either before the Supervisory Authority (‘SA’) in the Member State of his habitual residence, place of work or place of the alleged infringement (pursuant to Art. 77 GDPR) or before the competent court of the EU Member States (choice for the data subject to act before the courts where the data exporter has an establishment or where the data subject has his or her habitual residence (Article 79 GDPR).
- Scope of application: The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members (GDPR Art. 47.2.a). The BCRs must also specify its material scope, for instance the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects affected and the identification of the recipients in the third country or countries (GDPR Art. 47.2.b).
Specific to Controller BCRs
- Data Protection principles: Along with the principles of transparency, fairness, purpose limitation, data quality, security, the BCRs should also explain the other principles referred to in Article 47.2.d – such as, in particular, the principles of lawfulness, data minimisation, limited storage periods, guarantees when processing special categories of personal data, the requirements in respect of onward transfers to bodies not bound by the binding corporate rules.
- Transparency: All data subjects benefitting from the third party beneficiary rights should in particular be provided with information as stipulated in Articles 13 and 14 GDPR and information on their rights about processing and the means to exercise those rights, the clause relating to liability and the clauses relating to the data protection principles.
- Accountability: Every entity acting as data controller shall be responsible for and able to demonstrate compliance with the BCRs (GDPR Art. 5.2).
Specific to Processor BCRs
- Data Protection principles: Along with the obligations arising from principles of transparency, fairness, lawfulness, purpose limitation, data quality, security, the BCRs should also explain how other requirements, such as, in particular, in relation to data subjects rights, sub-processing and onward transfers to entities not bound by the BCRs will be observed by the processor.
- Accountability: Processors will have an obligation to make available to the controller all information necessary to demonstrate compliance with their obligations including through audits and inspections conducted by the Controller or an auditor mandated by the Controller (Art. 28-3-h GDPR).
- Service Agreement: The Service Agreement between the Controller and the Processor must contain all required elements as provided by Article 28 of the GDPR.